Compliance crosswalk · HIPAA

HIPAA Security Rule - email + domain controls, mapped to Wiredepth

Framework version: 45 CFR Part 164 Subpart C (Security Rule), with HHS 2024 updates

Who this is for. Covered entities (health plans, healthcare clearinghouses, providers transmitting health information electronically) and business associates. Email-based PHI transmission + phishing attacks on healthcare personnel are the leading cause of HIPAA breaches reported to OCR.

Where email + domain controls fit. The Security Rule organizes safeguards into Administrative (§164.308), Physical (§164.310), and Technical (§164.312). Email controls show up most directly under Technical: §164.312(e) Transmission Security and §164.312(b) Audit Controls. The 2024 proposed updates (which HHS is still finalizing as of mid-2026) explicitly cite email authentication as part of the transmission-integrity expectation.

Clause-by-clause mapping

Each row maps a specific HIPAArequirement to the Wiredepth surface that addresses it. The clause ids are the framework's own naming - verify them against the official text. We use precise language: "addresses" (the tool directly satisfies the control), "supports" (the tool contributes evidence the auditor will need), and "evidence for" (the artifact is part of the attestation package).

Clause	Requirement	Wiredepth response
§164.312(e)(1) Transport	Transmission Security - implement technical security measures to guard against unauthorized access to ePHI being transmitted over an electronic communications network. Email is in scope.	MTA-STS + TLS-RPT checker validates enforce-mode transport encryption. DMARC analyzer confirms authentication of outbound PHI-bearing email. Tool →
§164.312(e)(2)(ii) Transport	Encryption (addressable). Implement a mechanism to encrypt ePHI whenever deemed appropriate. For email, that effectively means TLS in transit + signed sender authentication.	TLS checker verifies the receiver-side encryption posture. DKIM checker confirms outbound message signing. Together they evidence the "authenticated + encrypted" transmission story. Tool →
§164.312(c)(1) Authentication	Integrity - protect ePHI from improper alteration or destruction. For email, integrity is provided by DKIM (cryptographic signature on the message body + headers).	DKIM checker validates the published key + signature alignment. Spoofability checker rolls integrity into the composite verdict. Tool →
§164.312(b) Monitoring	Audit Controls - implement hardware, software, and procedural mechanisms that record and examine activity in systems containing or using ePHI. Outbound email activity is an audit-relevant data flow.	DMARC report viewer turns the daily RUA XML into a readable audit trail. Wiredepth Pro continuous monitoring + change history covers regression evidence. Tool →
§164.308(a)(1)(ii)(A) Inventory	Risk Analysis - conduct an accurate and thorough assessment of the potential risks to the confidentiality, integrity, and availability of ePHI. Inventory of email-sending vendors is part of the analysis.	Vendor consolidation audit inventories every third party authorized to send mail as your domain - the "what could go wrong" surface for OCR-style risk analysis. Tool →
§164.308(b)(1) Inventory	Business Associate Contracts. Covered entities must obtain satisfactory assurances that BAs will protect ePHI. Vendors with mail-sending authorization for your domain often qualify as BAs.	Vendor consolidation audit identifies which third parties have send rights - the universe of vendors that may need a BAA. Vendor-scoring tool tracks ongoing security posture. Tool →

What auditors actually look at

What OCR investigators and HIPAA assessors look at when email or domain posture comes up in a covered entity's security analysis:

Documented DMARC + DKIM posture in the risk analysis (§164.308). A printable scorecard with a timestamp lives easily in this section of the risk- assessment binder.
List of BAAs that aligns with your authorized-vendor inventory. A SendGrid or HubSpot in your SPF without a corresponding BAA is a flag.
Phishing-response procedure. OCR expects an actual workflow, not just a policy doc. Click-through reporting from inside the mailbox covers both prongs.
Transmission-security posture demonstrably maintained over time.Continuous-monitoring alerts + change-history reports are how the "ongoing" expectation is shown to an auditor.
Workforce training documentation. §164.308(a)(5) is about workforce competence; the extension being installed + the scam-check workflow being demonstrably used both feed into that evidence package.

Generate a HIPAA-tagged evidence pack (Wiredepth Prove)

Prove subscribers can generate a ZIP of all five workpapers + a HIPAA README in one click. Single domain, single click, ready to file in your audit binder. See pricing at /pricing#prove ($499/mo standalone, bundled in Enterprise).

See Prove pricing →Or: free 1-page scorecard

Other compliance crosswalks

Disclaimer. This crosswalk is provided for informational purposes. It is not legal advice, audit guidance, or a substitute for engagement with a qualified assessor (QSA for PCI, accountant or QSA for SOC 2, lawyer for HIPAA / NIS2 / SEC). Framework clause ids and language may have been updated since publication; verify against the official text. Wiredepth does not guarantee compliance based on the use of any tool or page on this site.